The week in security: Obama promotes breach sharing, hackers do same
- 19 January, 2015 16:56
Big-name security tools aren't catching anywhere near all of the malware they are presented with, according to the latest lab testing results from Enex Labs, which found during testing in the second half of 2014 that as many as 100 percent of tested malware was making it through the defences of eight popular security tools. The results were corroborated by a FireEye study that found traditional security defences simply are not stopping security breaches.
Little wonder that setting and practice security responses topped security priorities for this year, according to a Dimension Data survey. Much of that effort will relate to the management of mobile devices – including many that were enthusiastically received by employees for Christmas – although statistics suggesting most companies have no idea about the internal use of 'shadow IT' suggests they have other priorities too.
US president Barack Obama was in the news as he outlined a raft of cyber-security related initiatives, in advance of his State of the Union address and on the back of the international hubbub over North Korea's high-profile hacking of Sony Pictures. Reports had Obama moving to speed the reporting of consumer data breaches, while he also encouraged companies to be more forthcoming in sharing information about cyber-attacks. The US and UK will also collaborate to test and improve their respective cybersecurity efforts. Obama's formal declaration called for a privacy bill of rights and set a 30-day limit for companies to notify customers of a data breach. Obama was also calling for immunity from prosecution for companies that actively shared information on their breaches. Security experts relished the attention on cyber issues but some questioned whether Obama had gone far enough.
Yet consumer breaches were only part of the puzzle: the Twitter and YouTube accounts of US Central Command – which has been directing the airstrikes on ISIS terrorists in Iraq and Syria – were hacked by 'cyber-jihadists' in another high-profile breach. The embarrassing incident was a reminder of the high stakes as the fight against terrorists increasingly moves into the online world (another reminder would be the malware that was dished up recently to visitors to North Korea's official news agency).
EU ministers were also weighing in on cyber-security matters, with a call for ISP cooperation in the wake of the Charlie Hebdo shootings. As if to prove the point, a parody site pretending to be a BBC Web site went offline after running a fabricated story about the attack. Several high-profile French media websites also went offline, although their hosting company quickly quelled rumours of a widespread cyber-attack.
Yet citizens in Holland were fighting back, suing the government over planned data retention laws. Given that law-enforcement authorities like the FBI have expanded their access to surveillance programs in recent years, it can surprise few that citizens are concerned.
Encryption has been floated as one tool in the fight against surveillance and data theft, but just because an application uses encryption doesn't always mean it's secure. Yet some implementations may be so secure that they can't be eavesdropped upon – which could, if UK PM David Cameron has his way, see the likes of WhatsApp and SnapChat banned in that country. That's hardly likely to impress users who enjoy the use of encryption to protect their private information.
Encryption can be overrated, some experts warn: in many situations it may be available but not worth the bother. Many would be more concerned about an Instagram flaw that allowed outsiders to view private photos if they had once been marked for public viewing. although another reason for that might be the pervasive breaches such as an evolving WhatsApp spam campaign or the Facebook scam trafficking in purportedly leaked Snapchat photos.
Google annoyed Microsoft after releasing the details of the second privilege escalation flaw in Windows 8.1 in just a few weeks – and doing so just days before Microsoft's Patch Tuesday fix would have been released. This decision drew criticism for Google from the Trustworthy Software Initiative, but didn't stop Google from following up with two more disclosures.
But Google proved to be pulling its weight, too, stopping a widespread malvertising attack even as Symantec shared details of a new phishing attack targeting users' LinkedIn credentials. Indeed, figures from Akamai suggested that hackers were exploring a range of new avenues as the volume of DDoS attacks plateaued.
One older attack proved to be back for a second run, however, as the notorious CryptoWall ransomware emerged once again in a new version and Carberp banking malware targeted Australian accounts. Figures suggested UK mobile malware was surprisingly in decline, although those that were hit with ransomware might find the experience less frustrating as there were suggestions the cyber-criminals had gained a new respect for clean interface design and customer service to simplify the process of paying their extortion fees.
This article is brought to you by Enex TestLab, content directors for CSO Australia.
Upcoming IT Security Events
Feb 3rd, Feb 4th, Feb 6th 2015
Join @NirZuk #PaloAltoNetworks for Breakfast (lunch in Auckland) on keeping your enterprise safe from risk. Cyber attacks continue to increase in volume and sophistication leaving traditional security practices completely ineffective.
March 3rd, March 5th, March 9th 2015
Join CSO for the day@#csoperspectives and hear from @kimzetter @frankheidt
3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today
Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)